US7624442B2 - Memory security device for flexible software environment - Google Patents

Memory security device for flexible software environment Download PDF

Info

Publication number
US7624442B2
US7624442B2 US10/817,148 US81714804A US7624442B2 US 7624442 B2 US7624442 B2 US 7624442B2 US 81714804 A US81714804 A US 81714804A US 7624442 B2 US7624442 B2 US 7624442B2
Authority
US
United States
Prior art keywords
processor
application code
integrated circuit
code
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US10/817,148
Other versions
US20050028004A1 (en
Inventor
Andrew Dellow
Peter Bennett
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
STMicroelectronics Research and Development Ltd
Original Assignee
STMicroelectronics Ltd Great Britain
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by STMicroelectronics Ltd Great Britain filed Critical STMicroelectronics Ltd Great Britain
Publication of US20050028004A1 publication Critical patent/US20050028004A1/en
Assigned to STMICROELECTRONICS LIMITED reassignment STMICROELECTRONICS LIMITED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BENNETT, PETER, DELLOW, ANDREW
Application granted granted Critical
Publication of US7624442B2 publication Critical patent/US7624442B2/en
Assigned to STMICROELECTRONICS (RESEARCH & DEVELOPMENT) LIMITED reassignment STMICROELECTRONICS (RESEARCH & DEVELOPMENT) LIMITED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: STMICROELECTRONICS LIMITED
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • G06F12/1441Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a range
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect

Definitions

  • the present invention relates to a memory security device, and in particular to the security of flash memory used in conditional access devices.
  • a known way of attempting to prevent hacking is to use some form of checking instructed by ROM memory to ensure that an application code stored in flash memory is correct.
  • a flash memory has a boot sector and an application sector.
  • a CPU is arranged to run application code from the flash memory retrieved over an interface.
  • the security is provided by the fact that the CPU boots from a boot ROM which contains code to check the boot sector of the flash memory. This is done once by the CPU producing a function of the code in the boot sector and comparing with a stored signature on startup. The CPU then jumps to the code in the boot sector if it passes the check.
  • the CPU thereafter runs from unchecked code and no further checks are conducted, because the verification of code is only conducted on boot up from the ROM.
  • An embodiment of the invention comprises an additional processor termed a verifier processor and code arranged to read data from a memory to be checked, to produce a function of that data, and to verify that function of the data against a stored code.
  • the verifier processor is on the same device and has the same external interfaces as a CPU which runs application code from the memory.
  • the verifier processor is arranged to continually check the flash memory whilst the CPU executes from the flash memory. If the address lines of the device were redirected so that the CPU runs from unauthorised code, then the verifier processor would also be redirected to that unauthorised code which would not pass the check.
  • Code stored in memory is thus hashed using a hashing function such as MD5 and signed using a signature algorithm such as RSA by the author of the code.
  • the hash of the code is signed using a private key, and stored in flash.
  • the verifier processor reads the section of signed code, and produces a hash of the code.
  • the verifier processor uses the corresponding public key to decrypt the hash.
  • the prestored signature of the hash signed with the private key is retrieved and also decrypted using the public key.
  • known digital signature techniques the result of hashing and signing the code is compared with the decrypted stored digital signature. If they do not match, the code is considered compromised and the circuit functioning is impaired by issuing a device reset or similar.
  • an instruction monitor is arranged to monitor instructions from the CPU to read from memory and checks that the instruction fetches are within a range of addresses that have been signature checked as described above.
  • the embodiment thus comprises an additional processor function which runs independently of a CPU but is within the same integrated circuit as that CPU and shares the same bus.
  • the processor function analyses the application code applied to the CPU and, if not authentic, issues a reset signal to reset the integrated circuit.
  • An instruction monitor ensures that the CPU can only take instructions from checked areas of memory. On detecting code fetches which fall outside the allowed range, the function of the circuit is impaired by issuing a reset or other impairing action.
  • FIG. 1 shows the main components of an integrated circuit embodying the invention
  • FIG. 2 shows a more detailed view of the architecture of the autonomous flash checker (AFC) shown in FIG. 1 ;
  • FIG. 3 shows the link list structure for two nodes
  • FIG. 4 shows the flash memory structure including link lists of FIG. 3 ;
  • FIG. 5 shows the process steps of checking code.
  • FIG. 1 An integrated circuit 1 according to one embodiment of the invention is shown in FIG. 1 .
  • a processor (CPU) 10 is connected via an internal bus 8 and an external interface 20 to a flash memory 2 .
  • the flash memory 2 contains application code for execution by the CPU 10 .
  • Internal RAM 4 and external RAM 6 are also provided.
  • the circuit 1 also comprises two additional components for ensuring that code in flash 2 is not hacked: a verifier processor 22 known as an Autonomous Flash Checker (AFC) and an instruction monitor (IM) 24 .
  • AFC Autonomous Flash Checker
  • IM instruction monitor
  • the purpose of the AFC is to check portions of code from memory 2 and verify that those portions match a corresponding signature accompanying the code. If the signature does not match, then the AFC 22 will issue a reset instruction.
  • the purpose of the instruction monitor 24 is to monitor code instruction requests on an instruction line 12 from the CPU 10 and to check that the requests fall within an allowed range as reported by the AFC 22 . If the instruction requests fall outside that range, the instruction monitor 24 issues a reset instruction. The CPU 10 is thereby prevented from executing unsigned unchecked code.
  • the CPU 10 On power up of integrated circuit 1 , the CPU 10 is directed to the boot vector of the flash memory 2 . The application code is then retrieved over bus 8 by the CPU 10 which executes the code. The application code is stored in a signed code portion of the flash memory 2 . It is noted that the AFC 22 is connected to the same internal bus 8 and external connections as the CPU, and so retrieves exactly the same code as the CPU without possibility of external interference. This is because the CPU, AFC processor and interconnect bus 8 are all part of the same integrated circuit.
  • the CPU 10 and flash memory 2 operate in a known fashion, unless the AFC processor determines that the application code in flash memory 2 is not authentic, in which case, it impairs operation of the device 1 by issuing a reset causing the device 1 to reset and the boot sequence to be restarted. Thus, if the application code has been tampered with, the set top box will repeatedly reboot and will not function for example to decrypt received TV signals. Other forms of impairing the operation of device 1 could be used such as disabling or stopping the device clock or otherwise limiting the functionality of the device.
  • a CPU core 30 provides the encryption/decryption functions as well as the digital signature checking already described, and operates under instruction from code ROM 32 .
  • the code ROM contains code for executing digital signature checking and memory to memory data processing functions. It also contains the public key of the or each provider of the code that is stored in flash 2 ( FIG. 1 ).
  • a register file 34 provides general purpose read-write registers.
  • a coprocessor MUX 36 connects the core CPU 30 to the bus 8 and also two coprocessors, an MD5 coprocessor 38 and a multiplier coprocessor 40 .
  • the MD5 coprocessor carries out the hashing function required by the digital signal algorithm.
  • the multiplier coprocessor 40 is used during RSA encryption.
  • the AFC processor 22 operates by producing a hash function and a signature of the application code using a public key from the code ROM 32 ( FIG. 2 ) as will now be described with reference to FIGS. 1 and 2 .
  • the AFC 22 executes code stored in code ROM 32 and uses RAM 42 for temporary storage.
  • the code in code ROM 32 is only accessible by the verifier processor and instructs the processor 30 to undertake the following steps:
  • the verifier processor 30 is not externally accessible other than in specific ways described later, and so cannot be hacked and only runs from the code in ROM which cannot be changed.
  • each set of steps comprising a cycle of the verifier processor.
  • the CPU 10 continues to operate as normal in retrieving and executing the application code over the same internal bus 8 as used by the verifier processor 30 .
  • the verifier processor requests application code from the memory less frequently than the CPU, for example the verifier requests code once every 1,000 to 10,000 CPU requests.
  • the verifier requests are at pseudo random times and could be at pseudo random locations. This helps obscure the verifier requests amongst the CPU requests.
  • the requests made at external connections at interface 20 for data from the flash 2 thus comprise CPU requests and pseudo random requests at pseudo random times comparatively infrequently mixed together.
  • the hash function can be any one-way hash function which has the advantage that any small change in the application code will result in a large change in the hashed code, but is mathematically all but impossible to derive multiple changes that could be made to the application code such that the hashed code is unchanged.
  • the MD5 coprocessor 38 continually receives the application code from the flash in a pseudo-random read pattern, and uses a known hash function such as MD5.
  • the signatures are in a portion of memory 2 not to be checked.
  • the next step is then to verify the hashed code against the signature by the standard digital signature technique of decrypting the signature using the public key and comparing to the hashed code.
  • the preferred algorithm is RSA. Provided that the signature is verified, then no action is taken. If the application code does not verify the signature, however, an impair function results by issuing a chip reset, preventing the chip operating further.
  • a linked list is a known technique for organizing code and comprises a plurality of nodes, each node having an address, length and pointer to the next block defining how the code is stored in memory 2 . This allows code to be downloaded to add or remove blocks of code from the linked list.
  • FIG. 3 The structure of an example block in a linked list 50 is shown in FIG. 3 .
  • the pointer to the start of this table is hard defined in a fixed location in local ROM 32 .
  • the structure of the table includes the block address, this being the address of the start of signed code, the block length, the signature address, this being the location of the signature corresponding to the block of code, the block number and the address of the next block.
  • FIG. 4 The structure of the memory 2 using a linked list is shown in FIG. 4 . As can be seen, there are signed portions and unsigned portions of memory. Each node points to the address of the each block and its corresponding signature 52 . A pointer at a fixed location indicates the location of the first node and thereafter follows from one block to another as defined by the address nodes.
  • the instruction monitor 24 monitors instruction requests made by CPU 10 to memory 2 to ensure that only checked portions of memory are accessed.
  • the instruction monitor needs information as to the areas of memory that have been verified. In its simplest form, this could be achieved by only allowing the CPU to run from a predefined area of memory.
  • the latter requires an initial check of the whole linked list (the list being dynamic in that a table cannot be derived until the whole list has been checked) to derive the table and thereafter the instruction monitor checks that the CPU only requests from checked areas. For this reason there are two main modes of operation: boot sector only mode; and linked list mode.
  • the functioning of the AFC 22 and IM 24 are shown in FIG. 5 , including the two modes of operation.
  • the core CPU 30 On reset of the circuit 1 (powerup), the core CPU 30 (known as cryptocore) boots in a boot sector only (BSO) mode at step 60 .
  • the core CPU 30 starts checking the boot sector in the Flash 2 for the main CPU 10 at step 62 by performing the signature check as previously described.
  • the instruction monitor IM 24 is switched off. No pause or step requests are allowed during this check.
  • the AFC 22 updates a table of allowed addresses stored in RAM 42 and enables the instruction monitor 24 at step 64 . Thereafter, at step 66 the boot sector check is repeated cyclically and may now be paused or stopped as described later.
  • the main CPU 10 is booting from memory 2 and copies code to RAM 4 for subsequent execution.
  • the instruction monitor is off for the first high speed check.
  • the main CPU 10 may issue a linked list restart request. This will cause the cryptocore 30 to immediately stop the current process and restart performing a boot sector check followed by a linked list (at step 68 ). No pause or stop requests are allowed during this check following a restart request.
  • the linked list table is updated and enabled after the first completed check at step 70 . The linked list check is then repeated cyclically at step 72 and 74 .
  • the linked list when checked once is stored as a linked list table in RAM 42 to which the instruction monitor then refers to ensure any CPU requests are to addresses in a range of checked addresses. If not, the IM 24 issues a reset.
  • the only commands available to the CPU 10 to control the verifier processor 22 are: STOP, RESTART, PAUSE. Thereafter, the operation of the AFC processor is autonomous and largely in hardware, with the only software being in ROM 32 or RAM 42 which are only accessible by the processor 30 .
  • a first preferred feature is that no pausing or stopping is allowed during any initial first pass check cycle.
  • the status bit Acheck_is_slow@ indicates whether we are in an initial first pass cycle or not.
  • a pause request pauses the memory reads for 1 second; to allow for scratch pad updates.
  • a limited number of pause requests are allowed in any one complete signature check cycle. If another pause request is received before the current pause is completed, the request is stored and then executed on completion of the current pause. Up to a limited number of pending pause requests can be queued in this way. Once this limit has been reached, further pause requests will have no effect until the number of pending requests falls below the limit.
  • a stop request stops the signature check and starts a timer countdown to reset (5 minutes). This is to allow complete code updates. If a restart_request or linked list restart is issued within this time, a new check cycle will be started and the reset is not executed. Once a restart request has been made, no further stop requests can be issued until one check cycle has been completed.
  • a status bit is set to indicate this, an interrupt is asserted to the host CPU and a timer countdown of 1 second is started. This counter cannot be stopped. When it expires, the reset_out signal is asserted. This process gives the host CPU time to interrogate the interrupt, execute a Flash write procedure (whereby a message is written to Flash that is checked on reboot, telling the CPU that there was a previous signature check failure, in which case it is assumed some or all of the code in memory has been compromised and needs to be downloaded again).
  • the list of legal address registers is updated at the end of each signature check cycle, and enabled after the first cycle.
  • incoming addresses from the CPU 10 are retimed, captured and checked that they lie within one of these ranges. If this is not the case, the illegal incoming address is stored, a status bit is set, an interrupt is asserted to the host CPU and a timer countdown of 1 second is started. This timer cannot be stopped. At expiration, the reset_out signal is asserted.

Abstract

A semiconductor integrated circuit includes a processor for executing application code from a memory and a verifier processor arranged to receive the application code via the same internal bus as the processor. The verifier processor performs a verification function to check that the application code is authentic. The verifier processor runs autonomously and cannot be spoofed as it receives the application code via the same internal bus as the main processor. An additional instruction monitor checks the code instructions from the CPU and also impairs the operation of the circuit unless the address of code requested is in a given range. The code is in the form of a linked list and the range is derived as a linked list table during a first check.

Description

BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a memory security device, and in particular to the security of flash memory used in conditional access devices.
2. Description of the Related Art
In conditional access devices for pay television, or any other device using memory and requiring security, there is a need to provide flash memory but to avoid hacking. Hacking is the unauthorised placing of software in memory to override security features.
A known way of attempting to prevent hacking is to use some form of checking instructed by ROM memory to ensure that an application code stored in flash memory is correct.
In such devices, a flash memory has a boot sector and an application sector. A CPU is arranged to run application code from the flash memory retrieved over an interface. The security is provided by the fact that the CPU boots from a boot ROM which contains code to check the boot sector of the flash memory. This is done once by the CPU producing a function of the code in the boot sector and comparing with a stored signature on startup. The CPU then jumps to the code in the boot sector if it passes the check.
We have appreciated, however, that there is a relatively simple way of hacking such a security arrangement. When the CPU boots up using code from the ROM, the CPU checks that the code in the boot sector is correct. The weakness is that the process of power on, CPU boot and checking the flash takes a predictable number of clock cycles of the CPU clock. Thus to hack the system, a hacker places code in an unchecked part of the flash memory and forces the CPU to read from that part of the memory after a predetermined number of clock cycles by fixing an external address line.
The CPU thereafter runs from unchecked code and no further checks are conducted, because the verification of code is only conducted on boot up from the ROM.
We have appreciated the problem that memory storing application code within devices can be insecure and prone to hacking by storing unauthorised code.
We have further appreciated the need to provide security to memory which stores application code, but to also allow the application code to be changed or updated. Further, we have appreciated deficiencies in the prior art in that a CPU could be hacked to run from unverified code, whilst checking devices redundantly checks verified code.
BRIEF SUMMARY OF THE INVENTION
An embodiment of the invention comprises an additional processor termed a verifier processor and code arranged to read data from a memory to be checked, to produce a function of that data, and to verify that function of the data against a stored code. The verifier processor is on the same device and has the same external interfaces as a CPU which runs application code from the memory. The advantage of using an additional processor on the same device as a CPU is that the system cannot be hacked by changing code stored in memory as the additional processor would then also receive changed application code which would not be verified.
The verifier processor is arranged to continually check the flash memory whilst the CPU executes from the flash memory. If the address lines of the device were redirected so that the CPU runs from unauthorised code, then the verifier processor would also be redirected to that unauthorised code which would not pass the check.
Code stored in memory (flash or otherwise) is thus hashed using a hashing function such as MD5 and signed using a signature algorithm such as RSA by the author of the code. The hash of the code is signed using a private key, and stored in flash. The verifier processor reads the section of signed code, and produces a hash of the code. The verifier processor then uses the corresponding public key to decrypt the hash. The prestored signature of the hash signed with the private key is retrieved and also decrypted using the public key. Using known digital signature techniques the result of hashing and signing the code is compared with the decrypted stored digital signature. If they do not match, the code is considered compromised and the circuit functioning is impaired by issuing a device reset or similar.
In addition to the verifier processor, an instruction monitor is arranged to monitor instructions from the CPU to read from memory and checks that the instruction fetches are within a range of addresses that have been signature checked as described above.
The embodiment thus comprises an additional processor function which runs independently of a CPU but is within the same integrated circuit as that CPU and shares the same bus. The processor function analyses the application code applied to the CPU and, if not authentic, issues a reset signal to reset the integrated circuit. An instruction monitor ensures that the CPU can only take instructions from checked areas of memory. On detecting code fetches which fall outside the allowed range, the function of the circuit is impaired by issuing a reset or other impairing action.
BRIEF DESCRIPTION OF THE DRAWINGS
An embodiment of the invention will now be described by way of example only and with reference to the figures in which:
FIG. 1 shows the main components of an integrated circuit embodying the invention;
FIG. 2 shows a more detailed view of the architecture of the autonomous flash checker (AFC) shown in FIG. 1;
FIG. 3 shows the link list structure for two nodes;
FIG. 4 shows the flash memory structure including link lists of FIG. 3; and
FIG. 5 shows the process steps of checking code.
 DETAILED DESCRIPTION OF THE INVENTION
An integrated circuit 1 according to one embodiment of the invention is shown in FIG. 1. A processor (CPU) 10 is connected via an internal bus 8 and an external interface 20 to a flash memory 2. The flash memory 2 contains application code for execution by the CPU 10. Internal RAM 4 and external RAM 6 are also provided.
The circuit 1 also comprises two additional components for ensuring that code in flash 2 is not hacked: a verifier processor 22 known as an Autonomous Flash Checker (AFC) and an instruction monitor (IM) 24. The purpose of the AFC is to check portions of code from memory 2 and verify that those portions match a corresponding signature accompanying the code. If the signature does not match, then the AFC 22 will issue a reset instruction. The purpose of the instruction monitor 24 is to monitor code instruction requests on an instruction line 12 from the CPU 10 and to check that the requests fall within an allowed range as reported by the AFC 22. If the instruction requests fall outside that range, the instruction monitor 24 issues a reset instruction. The CPU 10 is thereby prevented from executing unsigned unchecked code.
On power up of integrated circuit 1, the CPU 10 is directed to the boot vector of the flash memory 2. The application code is then retrieved over bus 8 by the CPU 10 which executes the code. The application code is stored in a signed code portion of the flash memory 2. It is noted that the AFC 22 is connected to the same internal bus 8 and external connections as the CPU, and so retrieves exactly the same code as the CPU without possibility of external interference. This is because the CPU, AFC processor and interconnect bus 8 are all part of the same integrated circuit.
The CPU 10 and flash memory 2 operate in a known fashion, unless the AFC processor determines that the application code in flash memory 2 is not authentic, in which case, it impairs operation of the device 1 by issuing a reset causing the device 1 to reset and the boot sequence to be restarted. Thus, if the application code has been tampered with, the set top box will repeatedly reboot and will not function for example to decrypt received TV signals. Other forms of impairing the operation of device 1 could be used such as disabling or stopping the device clock or otherwise limiting the functionality of the device.
The main components of the AFC are shown in greater detail in FIG. 2. A CPU core 30 provides the encryption/decryption functions as well as the digital signature checking already described, and operates under instruction from code ROM 32. The code ROM contains code for executing digital signature checking and memory to memory data processing functions. It also contains the public key of the or each provider of the code that is stored in flash 2 (FIG. 1). A register file 34 provides general purpose read-write registers. A coprocessor MUX 36 connects the core CPU 30 to the bus 8 and also two coprocessors, an MD5 coprocessor 38 and a multiplier coprocessor 40. The MD5 coprocessor carries out the hashing function required by the digital signal algorithm. The multiplier coprocessor 40 is used during RSA encryption.
The AFC processor 22 operates by producing a hash function and a signature of the application code using a public key from the code ROM 32 (FIG. 2) as will now be described with reference to FIGS. 1 and 2.
The AFC 22 executes code stored in code ROM 32 and uses RAM 42 for temporary storage. The code in code ROM 32 is only accessible by the verifier processor and instructs the processor 30 to undertake the following steps:
produce a hash of application code received from the flash memory;
produce a signature function of the hashed code; and
verify that the signature is correct.
The verifier processor 30 is not externally accessible other than in specific ways described later, and so cannot be hacked and only runs from the code in ROM which cannot be changed.
If the signature is correct then the application code in flash memory 2 is deemed authentic.
The steps set out above are undertaken continually; each set of steps comprising a cycle of the verifier processor. During each cycle the CPU 10 continues to operate as normal in retrieving and executing the application code over the same internal bus 8 as used by the verifier processor 30. Accordingly, to avoid reducing the performance of the CPU 10, the verifier processor requests application code from the memory less frequently than the CPU, for example the verifier requests code once every 1,000 to 10,000 CPU requests. Also, the verifier requests are at pseudo random times and could be at pseudo random locations. This helps obscure the verifier requests amongst the CPU requests. The requests made at external connections at interface 20 for data from the flash 2 thus comprise CPU requests and pseudo random requests at pseudo random times comparatively infrequently mixed together. It is thus infeasible for a hacker to determine how to spoof the external address lines to direct the CPU 10 to hacked code but the verifier 30 to genuine code. The use of pseudo random locations and times makes spoofing harder. The requests to the flash memory themselves are indistinguishable, whether made by the CPU or verifier processor.
As each word of data to be hashed is fetched from memory 2 it is passed to the MD5 coprocessor which performs the one way hash on the data. The hash function can be any one-way hash function which has the advantage that any small change in the application code will result in a large change in the hashed code, but is mathematically all but impossible to derive multiple changes that could be made to the application code such that the hashed code is unchanged. Preferably, the MD5 coprocessor 38 continually receives the application code from the flash in a pseudo-random read pattern, and uses a known hash function such as MD5.
Each block of code has an associated digital signature which was generated using the code author=s private key. The signatures are in a portion of memory 2 not to be checked. The next step is then to verify the hashed code against the signature by the standard digital signature technique of decrypting the signature using the public key and comparing to the hashed code. The preferred algorithm is RSA. Provided that the signature is verified, then no action is taken. If the application code does not verify the signature, however, an impair function results by issuing a chip reset, preventing the chip operating further.
Whilst the arrangement described so far is secure, we have appreciated that security can be improved, particularly for software in the memory 2 which is constructed and maintained as a linked list. A linked list is a known technique for organizing code and comprises a plurality of nodes, each node having an address, length and pointer to the next block defining how the code is stored in memory 2. This allows code to be downloaded to add or remove blocks of code from the linked list. The structure of an example block in a linked list 50 is shown in FIG. 3. There is a hard-defined address in memory that is the start of a table that contains information as to the size of each signed block, size of block and so on. The pointer to the start of this table is hard defined in a fixed location in local ROM 32.
The structure of the table, as shown in FIG. 3, includes the block address, this being the address of the start of signed code, the block length, the signature address, this being the location of the signature corresponding to the block of code, the block number and the address of the next block.
The structure of the memory 2 using a linked list is shown in FIG. 4. As can be seen, there are signed portions and unsigned portions of memory. Each node points to the address of the each block and its corresponding signature 52. A pointer at a fixed location indicates the location of the first node and thereafter follows from one block to another as defined by the address nodes.
The instruction monitor 24, as shown in FIG. 1, monitors instruction requests made by CPU 10 to memory 2 to ensure that only checked portions of memory are accessed. As shown by the explanation of the linked list memory structure, the instruction monitor needs information as to the areas of memory that have been verified. In its simplest form, this could be achieved by only allowing the CPU to run from a predefined area of memory. As an alternative, there could be a plurality of fixed predefined regions, but preferably there is a dynamic linked list from which a table of allowed areas is devised by the AFC 22. The latter requires an initial check of the whole linked list (the list being dynamic in that a table cannot be derived until the whole list has been checked) to derive the table and thereafter the instruction monitor checks that the CPU only requests from checked areas. For this reason there are two main modes of operation: boot sector only mode; and linked list mode.
The functioning of the AFC 22 and IM 24 are shown in FIG. 5, including the two modes of operation. On reset of the circuit 1 (powerup), the core CPU 30 (known as cryptocore) boots in a boot sector only (BSO) mode at step 60. The core CPU 30 starts checking the boot sector in the Flash 2 for the main CPU 10 at step 62 by performing the signature check as previously described. During this process the instruction monitor IM 24 is switched off. No pause or step requests are allowed during this check.
On completion of this first check, the AFC 22 updates a table of allowed addresses stored in RAM 42 and enables the instruction monitor 24 at step 64. Thereafter, at step 66 the boot sector check is repeated cyclically and may now be paused or stopped as described later.
At the same time as the boot sector check, the main CPU 10 is booting from memory 2 and copies code to RAM 4 for subsequent execution. The instruction monitor is off for the first high speed check.
At any point in the boot sector only mode the main CPU 10 may issue a linked list restart request. This will cause the cryptocore 30 to immediately stop the current process and restart performing a boot sector check followed by a linked list (at step 68). No pause or stop requests are allowed during this check following a restart request. As before, the linked list table is updated and enabled after the first completed check at step 70. The linked list check is then repeated cyclically at step 72 and 74.
The linked list when checked once is stored as a linked list table in RAM 42 to which the instruction monitor then refers to ensure any CPU requests are to addresses in a range of checked addresses. If not, the IM 24 issues a reset.
We have also appreciated that there may be a need to download new (authentic) code to the flash memory 2 and that this should be provided for so that the AFC does not erroneously reject this new code. To allow this, the verifier processor must be stopped for a period of time M, but again this could leave the possibility of a hack in which the AFC is permanently stopped. To prevent this, the code in ROM 32 causes the verifier processor to automatically issue a chip reset after this period M, and starts the verification at the beginning of the new code in flash memory.
The only commands available to the CPU 10 to control the verifier processor 22 are: STOP, RESTART, PAUSE. Thereafter, the operation of the AFC processor is autonomous and largely in hardware, with the only software being in ROM 32 or RAM 42 which are only accessible by the processor 30.
We have appreciated, however, that these commands need to be available to the CPU to avoid contention and allow flash memory updates, but could open the possibility of hacks which permanently pause or stop the AFC or continually reset. For that reason, further preferred features are included.
A first preferred feature is that no pausing or stopping is allowed during any initial first pass check cycle. The status bit Acheck_is_slow@ indicates whether we are in an initial first pass cycle or not.
A pause request pauses the memory reads for 1 second; to allow for scratch pad updates. A limited number of pause requests are allowed in any one complete signature check cycle. If another pause request is received before the current pause is completed, the request is stored and then executed on completion of the current pause. Up to a limited number of pending pause requests can be queued in this way. Once this limit has been reached, further pause requests will have no effect until the number of pending requests falls below the limit.
A stop request stops the signature check and starts a timer countdown to reset (5 minutes). This is to allow complete code updates. If a restart_request or linked list restart is issued within this time, a new check cycle will be started and the reset is not executed. Once a restart request has been made, no further stop requests can be issued until one check cycle has been completed.
If the decrypted signature/hash value comparison passes, a note of this fact, and the start and end addresses of the passing block, are stored in local RAM. Upon completion of a signature check cycle, a table of passing address ranges will have been built up in peripheral registers. This Alegal address@ table is then enabled.
If the decrypted signature/hash value comparison does not match, a status bit is set to indicate this, an interrupt is asserted to the host CPU and a timer countdown of 1 second is started. This counter cannot be stopped. When it expires, the reset_out signal is asserted. This process gives the host CPU time to interrogate the interrupt, execute a Flash write procedure (whereby a message is written to Flash that is checked on reboot, telling the CPU that there was a previous signature check failure, in which case it is assumed some or all of the code in memory has been compromised and needs to be downloaded again).
The list of legal address registers is updated at the end of each signature check cycle, and enabled after the first cycle. As an independent and continuous hardware process, incoming addresses from the CPU 10 are retimed, captured and checked that they lie within one of these ranges. If this is not the case, the illegal incoming address is stored, a status bit is set, an interrupt is asserted to the host CPU and a timer countdown of 1 second is started. This timer cannot be stopped. At expiration, the reset_out signal is asserted.
All of the above U.S. patents, U.S. patent application publications, U.S. patent applications, foreign patents, foreign patent applications and non-patent publications referred to in this specification and/or listed in the Application Data Sheet, are incorporated herein by reference in their entireties.
From the foregoing it will be appreciated that, although specific embodiments of the invention have been described herein for purposes of illustration, various modifications may be made without deviating from the spirit and scope of the invention. Accordingly, the invention is not limited except as by the appended claims.

Claims (32)

1. A semiconductor integrated circuit to execute application code to be received from a memory via external connections, comprising:
a processor to execute the application code from the memory;
an internal bus to provide the application code to the processor from the memory;
a verifier processor to receive the application code via the internal bus, wherein the verifier processor continually processes the application code using a verification function while the processor executes the application code from the memory independently of the verifier processor, and to impair the function of the integrated circuit in an event that the application code does not satisfy the verification function; and
an instruction monitor to monitor code requests issued by the processor and to impair the function of the integrated circuit unless addresses of the code requests fall within a given range.
2. The semiconductor, integrated circuit according to claim 1 further comprising an internal memory; wherein the given range is stored in the internal memory.
3. The semiconductor integrated circuit according to claim 1 wherein the given range is derived by the verifier processor during a first check of the memory.
4. The semiconductor integrated circuit according to claim 3 wherein the application code in memory comprises a linked list; and wherein the given range comprises a table of linked list addresses.
5. The semiconductor integrated circuit according to claim 3 wherein the verifier processor is to impair the function of the integrated circuit if the verification function is not completed for one complete cycle of the linked list within a predetermined time.
6. The semiconductor integrated circuit according to claim 1 wherein the verifier processor is to receive pause and stop requests and is configured so that any pause and stop request is ineffective during a first check of the code.
7. The semiconductor integrated circuit according to claim 1 wherein the verifier processor is paused for only a predetermined time.
8. The semiconductor integrated circuit according to claim 1 wherein if the application codes does not satisfy the verification function, a reset signal is asserted after a predetermined time.
9. The semiconductor integrated circuit according to claim 8 wherein a status signal is set and stored to indicate that the code does not satisfy the verification function before the reset signal is asserted.
10. The semiconductor integrated circuit according to claim 1 wherein the verification function includes a hash function on the application code.
11. The semiconductor integrated circuit according to claim 1 wherein the verifier processor is to receive a stored secret from the memory; and wherein the verification function comprises a comparison of the secret and the processed application code.
12. The semiconductor integrated circuit according to claim 1 wherein the verification function comprises:
hashing the application code to produce hashed code;
retrieving a signature of the application code from a signature store within the memory; and
verifying the hashed code and the signature using a public key.
13. The semiconductor integrated circuit according to claim 1 wherein the verifier processor comprises a stop input; and wherein the verifier processor is to restart a given time period after a stop and does not stop again until completing the verification function on the application code at least once.
14. The semiconductor integrated circuit according to claim 1 wherein the verifier processor is to request portions of the application code from the memory at intervals between requests by the processor for portions of the application code.
15. The semiconductor integrated circuit according to claim 14 wherein the verifier processor is to request portions of application code at less frequent intervals than the processor.
16. The semiconductor integrated circuit according to claim 14 wherein the verifier processor is to request portions of the application code at pseudo random times.
17. The semiconductor integrated circuit according to claim 14 wherein the verifier processor is to carry out read requests at a faster rate during a first check than in subsequent checks.
18. The semiconductor integrated circuit according to claim 1 wherein impairing the function of the integrated circuit comprises resetting the integrated circuit.
19. A semiconductor integrated circuit to execute application code to be received from a memory, comprising:
a processor to execute the application code from the memory;
an internal bus connected to the processor to provide the application code to the processor from the memory;
a verifier processor to receive the application code via the internal bus, wherein the verifier processor processes the application code using a verification function while the processor executes the application code from the memory independently of the verifier processor, and to impair the execution of the integrated circuit if the application code does not satisfy the verification function; and
an instruction monitor to be connected to the internal bus, to monitor code requests issued by the processor, and to impair the execution of the integrated circuit unless addresses of the code requests fall within a given range.
20. The semiconductor integrated circuit of claim 19 wherein the given range is derived by the verifier processor during a check of the memory.
21. The semiconductor integrated circuit of claim 19 wherein the application code in memory comprises a linked list; and wherein the given range is stored in a table of linked list addresses.
22. The semiconductor integrated circuit of claim 19 wherein the verification processor is to impair the execution of the integrated circuit by asserting a reset signal to the processor if the application code does not satisfy the verification function within a predetermined time.
23. The semiconductor integrated circuit of claim 19 wherein the verification processor includes:
an internal processor to coordinate processing of the application code using the verification function and to impair the execution of the integrated circuit if the application code does not satisfy the verification function;
a code memory to be coupled to the internal processor, to store code for controlling the internal processor to process the application code, and to impair the execution of the integrated circuit if the application code does not satisfy the verification function; and
an interface circuit to be connected to the internal processor with the internal bus.
24. A memory system, comprising:
a non-volatile memory to store application code; and
a semiconductor integrated circuit to execute the application code to be received from the non-volatile memory, the integrated circuit including:
a processor to execute the application code from the non-volatile memory,
an internal bus connected to the processor to provide the application code to the processor from the non-volatile memory;
a verifier processor to receive the application code via the internal bus, wherein the verifier processor processes the application code using a verification function while the processor executes the application code from the non-volatile memory independently of the verifier processor, and to render the memory system at least partly unusable if the application code does not satisfy the verification function, and
an instruction monitor to be connected to the internal bus, to monitor code requests issued by the processor, and to impair the execution of the integrated circuit unless addresses of the code requests fall within a given range.
25. The memory system of claim 24 wherein the given range is derived by the verifier processor during a check of the non-volatile memory.
26. The memory system of claim 24 further comprising an internal memory; wherein the non-volatile memory includes a linked list for accessing the application code; and wherein the given range is stored in the internal memory of the integrated circuit as a table of linked list addresses.
27. The memory system of claim 24 wherein the verification processor is to impair the execution of the integrated circuit by asserting a reset signal to the processor if the application code does not satisfy the verification function within a predetermined time.
28. The memory system of claim 24 wherein the verification processor includes:
an internal processor to coordinate the processing of the application code using the verification function and to impair the execution of the integrated circuit if the application code does not satisfy the verification function;
a code memory to be coupled to the internal processor, to store code for controlling the internal processor to process the application code, and to impair the execution of the integrated circuit if the application code does not satisfy the verification function; and
an interface circuit to be connected to the internal processor with the internal bus.
29. A method for executing application code received from an external memory via external connections, the method comprising:
executing application code from the external memory with a processor;
providing the application code to the processor via an internal bus;
providing the application code to a verifier processor via the internal bus;
continually processing the application code with the verifier processor, while the processor executes the application code independently of the verifier processor, using a verification function;
monitoring code requests issued by the processor with an instruction monitor; and
impairing operation of the integrated circuit if the application code does not satisfy the verification function or if addresses of the code requests fall outside a given range.
30. The method of claim 29 further comprising deriving the given range with the verifier processor during a check of the external memory.
31. The method of claim 29 further comprising storing the given range in an internal memory.
32. The method of claim 29 further comprising:
receiving pause and stop requests at the verifier processor; and
configuring the verifier processor so that any pause and stop request is ineffective during a first check of the code.
US10/817,148 2003-04-03 2004-04-02 Memory security device for flexible software environment Active 2027-10-02 US7624442B2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP03252116A EP1465038B1 (en) 2003-04-03 2003-04-03 Memory security device for flexible software environment
EP03252116.3 2003-04-03

Publications (2)

Publication Number Publication Date
US20050028004A1 US20050028004A1 (en) 2005-02-03
US7624442B2 true US7624442B2 (en) 2009-11-24

Family

ID=32842847

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/817,148 Active 2027-10-02 US7624442B2 (en) 2003-04-03 2004-04-02 Memory security device for flexible software environment

Country Status (2)

Country Link
US (1) US7624442B2 (en)
EP (1) EP1465038B1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100191980A1 (en) * 2007-07-05 2010-07-29 Nxp B.V. Microprocessor in a security-sensitive system
US8135830B2 (en) 2002-01-15 2012-03-13 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8700767B2 (en) 2002-01-15 2014-04-15 Mcafee, Inc. System and method for network vulnerability detection and reporting

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1333350A1 (en) * 2002-01-30 2003-08-06 STMicroelectronics Limited Memory security device
US20070266435A1 (en) * 2005-12-28 2007-11-15 Williams Paul D System and method for intrusion detection in a computer system
US7644322B2 (en) * 2006-11-21 2010-01-05 Atmel Corporation Hardware flow control monitor
US8782367B2 (en) 2006-12-20 2014-07-15 Stmicroelectronics S.A. Memory area protection circuit
US8392726B2 (en) 2006-12-20 2013-03-05 Stmicroelectronics S.A. Protection of memory areas
CN102263130A (en) * 2011-06-16 2011-11-30 中国电子科技集团公司第四十四研究所 Charge-coupled device (CCD) unit structure capable of reducing CCD dark current
DE102013111966B4 (en) 2013-10-30 2017-11-02 Infineon Technologies Ag Field effect semiconductor device and method for its production
US9531750B2 (en) * 2015-05-19 2016-12-27 Ford Global Technologies, Llc Spoofing detection
EP3291087A1 (en) * 2016-09-01 2018-03-07 Nxp B.V. Apparatus and associated method for authenticating firmware

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0481735A2 (en) 1990-10-19 1992-04-22 Emc Corporation Address protection circuit
WO2001024012A1 (en) 1999-09-30 2001-04-05 Aristocrat Technologies Australia Pty Limited Gaming security system
WO2001061437A2 (en) 2000-02-17 2001-08-23 General Instrument Corporation Method and system for secure downloading of software
US6311273B1 (en) 1997-02-13 2001-10-30 Walter A. Helbig, Sr. Method and apparatus for enhancing computer system security
US6430727B1 (en) * 1996-12-19 2002-08-06 Sgs-Thomson Microelectronics Limited Diagnostic procedures in an integrated circuit device
US20030005277A1 (en) * 2001-06-29 2003-01-02 Harding Matthew C. Automatic replacement of corrupted BIOS image
US20030229777A1 (en) * 2002-06-07 2003-12-11 Dinarte Morais Use of hashing in a secure boot loader

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0481735A2 (en) 1990-10-19 1992-04-22 Emc Corporation Address protection circuit
US6430727B1 (en) * 1996-12-19 2002-08-06 Sgs-Thomson Microelectronics Limited Diagnostic procedures in an integrated circuit device
US6311273B1 (en) 1997-02-13 2001-10-30 Walter A. Helbig, Sr. Method and apparatus for enhancing computer system security
WO2001024012A1 (en) 1999-09-30 2001-04-05 Aristocrat Technologies Australia Pty Limited Gaming security system
WO2001061437A2 (en) 2000-02-17 2001-08-23 General Instrument Corporation Method and system for secure downloading of software
US20030005277A1 (en) * 2001-06-29 2003-01-02 Harding Matthew C. Automatic replacement of corrupted BIOS image
US20030229777A1 (en) * 2002-06-07 2003-12-11 Dinarte Morais Use of hashing in a secure boot loader

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8135830B2 (en) 2002-01-15 2012-03-13 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8615582B2 (en) 2002-01-15 2013-12-24 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8621073B2 (en) 2002-01-15 2013-12-31 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8700767B2 (en) 2002-01-15 2014-04-15 Mcafee, Inc. System and method for network vulnerability detection and reporting
US20100191980A1 (en) * 2007-07-05 2010-07-29 Nxp B.V. Microprocessor in a security-sensitive system
US8205097B2 (en) * 2007-07-05 2012-06-19 Nxp B.V. Microprocessor in a security-sensitive system

Also Published As

Publication number Publication date
EP1465038B1 (en) 2013-03-27
EP1465038A1 (en) 2004-10-06
US20050028004A1 (en) 2005-02-03

Similar Documents

Publication Publication Date Title
US9842212B2 (en) System and method for a renewable secure boot
US9542114B2 (en) Methods and apparatus to protect memory regions during low-power states
US9710651B2 (en) Secure processor for SoC initialization
US6223284B1 (en) Method and apparatus for remote ROM flashing and security management for a computer system
US8438658B2 (en) Providing sealed storage in a data processing device
US11455397B2 (en) Secure boot assist for devices, and related systems, methods and devices
US9853974B2 (en) Implementing access control by system-on-chip
KR100851631B1 (en) Secure mode controlled memory
WO2020037612A1 (en) Embedded program secure boot method, apparatus and device, and storage medium
JP4954228B2 (en) Bootloader safety update without knowledge of safety key
US20090193211A1 (en) Software authentication for computer systems
JP5346608B2 (en) Information processing apparatus and file verification system
US7624442B2 (en) Memory security device for flexible software environment
US8108905B2 (en) System and method for an isolated process to control address translation
US7707638B2 (en) Autonomous software integrity checker
US11797681B2 (en) Fast and versatile multicore SoC secure boot method
KR20080071576A (en) Method and apparatus for securing digital content
KR102415005B1 (en) Hardware security module for verifying execution code, device having the same, and operating method thereof
CN115357948A (en) Hardware anti-copying encryption method and device based on TEE and encryption chip
JP2002055725A (en) Bios chip for managing code and method for managing the same code

Legal Events

Date Code Title Description
AS Assignment

Owner name: STMICROELECTRONICS LIMITED, UNITED KINGDOM

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DELLOW, ANDREW;BENNETT, PETER;REEL/FRAME:023110/0113

Effective date: 20040909

STCF Information on status: patent grant

Free format text: PATENTED CASE

CC Certificate of correction
CC Certificate of correction
FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: STMICROELECTRONICS (RESEARCH & DEVELOPMENT) LIMITE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:STMICROELECTRONICS LIMITED;REEL/FRAME:038847/0890

Effective date: 20160518

FPAY Fee payment

Year of fee payment: 8

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12